CVE-2025-60020: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-60020 affects NNCP (Node to Node Copy Program) versions before 8.12.0. The vulnerability was discovered by Eugene Medvedev and disclosed on September 19, 2025. This security flaw allows path traversal attacks during freqing and file saving operations via crafted path in packet data. The vulnerability affects the freq and file commands in NNCP, a package that facilitates secure store-and-forward file and mail exchange (Debian Security, NNCP Devel).

The vulnerability exists in NNCP's handling of paths in freq and file functions. Despite the requirement for both functions to supply full paths in configuration, the affected versions accept and process paths containing '..' sequences. The vulnerability has a CVSS score of 6.0 (AV:N/AC:L/Au:S/C:P/I:P/A:N), indicating moderate severity with partial confidentiality and integrity impacts (Rapid7).

The vulnerability allows attackers to perform path traversal attacks that can access files outside the intended directories. An attacker could potentially request any file that NNCP has access to, including sensitive files such as configuration files containing private keys. Additionally, sent files can break out of the incoming directory and be written to any location where the user has write permissions (NNCP Devel).

The vulnerability has been fixed in NNCP version 8.12.0 and later. For Debian systems, fixes have been released in version 8.8.2-3+deb12u1 for oldstable (bookworm) and version 8.11.0-4+deb13u1 for stable (trixie) distributions. Users are recommended to upgrade their NNCP packages to the patched versions (Debian Security).

The vulnerability was responsibly disclosed through the NNCP development mailing list, where it received immediate attention from the maintainers. The NNCP maintainer Sergey Matveev acknowledged the issue and quickly merged the fix into the develop branch. The Debian security team also responded promptly by issuing security updates for affected distributions (NNCP Devel).